Forem: Roberto Guerra The latest articles on Forem by Roberto Guerra (@uris77). https://forem.com/uris77 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F126671%2F9b77d49b-11eb-4f5d-9b29-12b02d64289a.jpeg Forem: Roberto Guerra https://forem.com/uris77 en GCP Notes: Configure API Gateway with Terraform Roberto Guerra Thu, 30 Sep 2021 16:39:09 +0000 https://forem.com/uris77/gcp-notes-configure-api-gateway-with-terraform-1pi3 https://forem.com/uris77/gcp-notes-configure-api-gateway-with-terraform-1pi3 <p><em>Originally posted in <a href="https://blog.openstep.net/posts/gcp-api-terraform/">https://blog.openstep.net/posts/gcp-api-terraform/</a></em></p> <p>GCP API Gateway gives you more control over access to your Cloud Functions triggered by HTTP. I will explain how to configure an API Gateway and why you might want to do that.</p> <p>According to GCP's documentation: "With API Gateway, you can create, secure, and monitor APIs for Google Cloud serverless back ends, including Cloud Functions, Cloud Run, and App Engine. Built on Envoy, API Gateway gives you high performance, scalability, and the freedom to focus on building great apps. Consumption-based and tiered pricing means you can better manage cost."</p> <p>If you have built serverless APIs in AWS, you have more than likely used AWS API Gateway to expose your lambdas as HTTP endpoints. AWS API Gateway allows you to throttle traffic, add authentication, modify headers, etc. GCP did not have an equivalent service until 2020, and as of this writing (September 2021), it is still in beta. GCP Cloud Functions provide you with an HTTP(s) endpoint by default if they have an HTTP trigger. You can also specify if the Cloud Function is publicly exposed. However, you can not secure the endpoint, nor throttle traffic, nor use a custom domain. API Gateway also provides metrics about the endpoints (latency, error rates, etc.). If you want to keep track of what applications use your APIs, you can create API keys for each application. API Gateway then allows you to view the traffic generated by each application, and you can throttle or disable APIs using the keys instead of having to modify code.</p> <h2> GCP API Gateway Components </h2> <p>The API Gateway is made up of 3 components:<br> The Config<br> The Gateway<br> The API</p> <p>The <code>Config</code> is an <a href="https://swagger.io/specification/v2/">OpenAPI v2</a> document that allows you to map the Cloud Function endpoint to an API endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">swagger</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2.0'</span> <span class="na">info</span><span class="pi">:</span> <span class="na">title</span><span class="pi">:</span> <span class="s">poe-api</span> <span class="na">description</span><span class="pi">:</span> <span class="s">API Gateway for POE</span> <span class="na">version</span><span class="pi">:</span> <span class="s">1.0.0</span> <span class="na">schemes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https</span> <span class="na">produces</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">application/json</span> <span class="na">paths</span><span class="pi">:</span> <span class="na">/api/echo</span><span class="pi">:</span> <span class="na">get</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s">Echo</span> <span class="na">operationId</span><span class="pi">:</span> <span class="s">echo</span> <span class="na">x-google-backend</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">https://project-id.cloudfunctions.net/HandlerEcho</span> <span class="na">responses</span><span class="pi">:</span> <span class="na">200</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Successful response</span> <span class="na">schema</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> </code></pre> </div> <p>This example deploys an API that forwards all requests to <code>/api/echo</code> to the Cloud Function <code>HandlerEcho.</code> It also only uses <code>HTTPS,</code> and all the endpoints return <code>JSON.</code></p> <h2> Enabling CORS </h2> <p>You need to enable CORS if your APIs are accessed from a web application. Browsers restrict cross-origin HTTP requests initiate from scripts unless the response from other origins includes the correct CORS headers. I won't explain how to configure CORS on your server; that topic is out of scope, but I'll explain how to configure GCP API Gateway to work with CORS.</p> <p>Configuring CORS can be annoying because you have to provide an additional path for every one of our endpoints. There is probably a better way of doing this, but I found that this works for me. You have to copy-paste the path you configured and change it to be an <code>options</code> request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">paths</span><span class="pi">:</span> <span class="na">/api/echo</span><span class="pi">:</span> <span class="na">get</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s">Echo</span> <span class="na">operationId</span><span class="pi">:</span> <span class="s">echo</span> <span class="na">x-google-backend</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">https://project-id.cloudfunctions.net/HandlerEcho</span> <span class="na">responses</span><span class="pi">:</span> <span class="na">200</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Successful response</span> <span class="na">schema</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">options</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s">Echo</span> <span class="na">operationId</span><span class="pi">:</span> <span class="s">echo</span> <span class="na">x-google-backend</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">https://project-id.cloudfunctions.net/HandlerEcho</span> <span class="na">responses</span><span class="pi">:</span> <span class="na">200</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Successful response</span> <span class="na">schema</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> </code></pre> </div> <h2> API Keys </h2> <p>GCP API Gateway allows you to secure &amp; monitor your APIs in several ways. APIs can be throttled and disabled based on the API Key that they used. You can create an API key for a web application and another key for machine-to-machine access. If you notice that the latter makes more requests than expected, that API Key can be throttled or disabled without affecting the web application.</p> <p>You need to configure API Keys in your config file and also using the GCP console. In your config file, add a top-level field:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">security</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">api_key</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">securityDefinitions</span><span class="pi">:</span> <span class="na">api_key</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">apiKey</span> <span class="na">name</span><span class="pi">:</span> <span class="s">apiKey</span> <span class="na">in</span><span class="pi">:</span> <span class="s">query</span> </code></pre> </div> <p>This snippet says that all endpoints expect a <code>query</code> parameter called <code>apiKey.</code> There are other types of security that API Gateway provides, but I won't cover them in this post.</p> <p>The second step is to go to the GCP console, navigate to <code>APIs &amp; Services,</code> then click on <code>Enable APIs and Services.</code> This will take you to a page where you should search for the API you created and enable it. Then return to the <code>APIs &amp; Services</code> page and click on <code>Credentials</code> and <code>Create Credentials.</code> Then select <code>API Key.</code> GCP assigns an autogenerated name to the key, but you should change it and customize it. Click on the name of the generated key, and change the name to something that describes the service using the key. The string under <code>API Key</code> is what customers of your APIs should use. You can also further restrict access by type of application and <code>HTTP referrers</code> if the key will be used by a web application. Finally, click on <code>Restrict Key</code> and select your API from the drop-down.</p> <h2> Prevent access to the backend </h2> <p>You can force everyone to use your API only via the API Gateway by disabling <code>unauthenticated</code> access to your backend. The API Gateway will use a service account to access the backend. However, if your backends are inspecting the <code>Authorization</code> header for JWT tokens, then your endpoints will stop working. This happens because the API Gateway will inject its own JWT token on that header. You will need to use a different header to provide the JWT token that your application needs. Maybe something like <code>X-Authorization,</code> but whatever you use, be consistent and make sure to document it.</p> <h2> Deploying with Terraform </h2> <p>You will use the Terraform Google provider (<a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs">https://registry.terraform.io/providers/hashicorp/google/latest/docs</a>) for deployment. You need three resources to configure an API Gateway:</p> <ul> <li>Config: google_api_gateway_api_config</li> <li>API: google_api_gateway_api</li> <li>Gateway: google_api_gateway_gateway</li> </ul> <p>The Config holds the OpenAPI document that describes the endpoints that will be served.<br> The Gateway defines an external URL that API clients will use to access the API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">region</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">zone</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">api_config_id_prefix</span> <span class="p">=</span> <span class="s2">"api"</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="s2">"your-api-id"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="s2">"your-gateway-id"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"API Display Name"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_api_gateway_api"</span> <span class="s2">"api_gw"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">google</span><span class="err">-</span><span class="nx">beta</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="nx">local</span><span class="err">.</span><span class="nx">api_gateway_container_id</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">project_id</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">local</span><span class="err">.</span><span class="nx">display_name</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_api_gateway_api_config"</span> <span class="s2">"api_cfg"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">google</span><span class="err">-</span><span class="nx">beta</span> <span class="nx">api</span> <span class="p">=</span> <span class="nx">google_api_gateway_api</span><span class="err">.</span><span class="nx">api_gw</span><span class="err">.</span><span class="nx">api_id</span> <span class="nx">api_config_id_prefix</span> <span class="p">=</span> <span class="nx">local</span><span class="err">.</span><span class="nx">api_config_id_prefix</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">project_id</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">local</span><span class="err">.</span><span class="nx">display_name</span> <span class="nx">openapi_documents</span> <span class="p">{</span> <span class="nx">document</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"openapi.yaml"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="nx">filebase64</span><span class="err">(</span><span class="s2">"openapi.yml"</span><span class="err">)</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_api_gateway_gateway"</span> <span class="s2">"gw"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">google</span><span class="err">-</span><span class="nx">beta</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">project_id</span> <span class="nx">api_config</span> <span class="p">=</span> <span class="nx">google_api_gateway_api_config</span><span class="err">.</span><span class="nx">api_cfg</span><span class="err">.</span><span class="nx">id</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">local</span><span class="err">.</span><span class="nx">gateway_id</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">local</span><span class="err">.</span><span class="nx">display_name</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">google_api_gateway_api_config</span><span class="err">.</span><span class="nx">api_cfg</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>You should be able to run <code>terraform plan</code> to verify the configuration, and <code>terraform apply</code> to deploy.</p> <h2> Conclusion </h2> <p>You can use GCP API Gateway to have more fine-grained control over your APIs. You saw how to do this using the OpenAPI specification and how to use API Keys to protect your endpoints. You can also leverage Terraform for declaring your API Gateway as code.</p> <h2> References </h2> <ul> <li>The Terraform Provider <a href="https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_api">https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_api</a> </li> <li>OpenAPI Extensions <a href="https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#x-google-jwt-locations">https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#x-google-jwt-locations</a> </li> <li>API Gateway Official Docs <a href="https://cloud.google.com/api-gateway/docs">https://cloud.google.com/api-gateway/docs</a> </li> </ul> gcp Go Notes: Parsing Claims in Firebase JWT Token Roberto Guerra Thu, 04 Mar 2021 15:27:04 +0000 https://forem.com/uris77/go-notes-parsing-claims-in-firebase-jwt-token-2o4j https://forem.com/uris77/go-notes-parsing-claims-in-firebase-jwt-token-2o4j <p>I struggled to parse the Firebase JWT Claims. Because claims may contain strings, maps, and arrays, the claims field type is an []interface{}. In this example, one of the claims was a list of permissions. Permissions themselves were just an array of strings. Go does not know that it is an array string, and it is impossible to convert it directly. Instead, we need an intermediary conversion.</p> <p>The Firebase Token struct is defined as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Token represents a decoded Firebase ID token.</span> <span class="c">//</span> <span class="c">// Token provides typed accessors to the common JWT fields such as Audience (aud) and Expiry (exp).</span> <span class="c">// Additionally it provides a UID field, which indicates the user ID of the account to which this token</span> <span class="c">// belongs. Any additional JWT claims can be accessed via the Claims map of Token.</span> <span class="k">type</span> <span class="n">Token</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">AuthTime</span> <span class="kt">int64</span> <span class="s">`json:"auth_time"`</span> <span class="n">Issuer</span> <span class="kt">string</span> <span class="s">`json:"iss"`</span> <span class="n">Audience</span> <span class="kt">string</span> <span class="s">`json:"aud"`</span> <span class="n">Expires</span> <span class="kt">int64</span> <span class="s">`json:"exp"`</span> <span class="n">IssuedAt</span> <span class="kt">int64</span> <span class="s">`json:"iat"`</span> <span class="n">Subject</span> <span class="kt">string</span> <span class="s">`json:"sub,omitempty"`</span> <span class="n">UID</span> <span class="kt">string</span> <span class="s">`json:"uid,omitempty"`</span> <span class="n">Firebase</span> <span class="n">FirebaseInfo</span> <span class="s">`json:"firebase"`</span> <span class="n">Claims</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}</span> <span class="s">`json:"-"`</span> <span class="p">}</span> </code></pre> </div> <p>The field we are concerned with is <code>Claims</code>. It is a map of interfaces. It will hold additional information that is added upstream when a user is created. We can assume that one of these pieces of data added is a <code>roles</code> field that consists of an array of strings. E.g.: <code>["role1", "role2", "role3"]</code></p> <p>After extracting the <code>claims</code>, and accessing the <code>roles</code> field, we need to convert the <code>interface</code> type to <code>[]interface{}</code>, because we can't convert directly from <code>interface</code> to <code>[]string</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">roles</span> <span class="o">:=</span> <span class="n">claims</span><span class="p">[</span><span class="s">"roles"</span><span class="p">]</span> <span class="k">var</span> <span class="n">roles</span> <span class="p">[]</span><span class="kt">string</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">p</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">claims</span><span class="p">[</span><span class="s">"roles"</span><span class="p">]</span><span class="o">.</span><span class="p">([]</span><span class="k">interface</span><span class="p">{})</span> <span class="p">{</span> <span class="n">roles</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">roles</span><span class="p">,</span> <span class="n">p</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>The takeaway for me was that <code>interface{}</code> can't be converted to <code>[]someType{}</code>. We can only convert from interface to another type if the shapes are similar.</p> <p>Reference:<br> <a href="https://golang.org/ref/spec#Type_assertions">https://golang.org/ref/spec#Type_assertions</a></p> go Go Notes: Auth0 validation for AWS Lambda Pt 2 Roberto Guerra Tue, 03 Mar 2020 03:58:20 +0000 https://forem.com/uris77/go-notes-auth0-validation-for-aws-lambda-pt-2-36d3 https://forem.com/uris77/go-notes-auth0-validation-for-aws-lambda-pt-2-36d3 <p>We will use the <code>auth0</code> library we forked previously, to create an AWS Lambda(lambda) authorizer. This authorizer will indicate whether a request is authorized or denied. We'll also deploy the authorizer using the <a href="https://serverless.com">serverless framework</a> and write a basic unit test for the authorizer.</p> <h3> Requirements </h3> <ul> <li>Basic understanding of what jwt is.</li> <li>Some basic Go knowledge.</li> <li>Some basic AWS Lambda knowledge.</li> <li>Some basic serverless knowledge.</li> </ul> <h3> Step 1: Configure the Lambda Authorizer </h3> <p>The lambda authorizer is defined in the <code>serverless.yaml</code> file under the <code>functions</code> block. It is no different from any other lambda, except that we won't provide any <code>events</code>. The Auth0 library we will use makes sure that the <code>issuer</code> and the <code>audience</code> match what is in the <code>jwks</code> key. We also need to provide the url that the auth0 client will use to download the <code>jwks</code> key. We'll provide these values as environment variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">functions</span><span class="pi">:</span> <span class="na">authorizer</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">bin/authorizer</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">AUTH_ISSUER</span><span class="pi">:</span> <span class="s">${self:custom.authorizer.TOKEN_ISSUER}</span> <span class="na">AUTH_AUDIENCE</span><span class="pi">:</span> <span class="s">${self:custom.authorizer.AUDIENCE}</span> <span class="na">JWKS_URI</span><span class="pi">:</span> <span class="s">${self:custom.authorizer.JWKS_URI}</span> <span class="na">custom</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">${opt:stage, "dev"}</span> <span class="na">authorizer</span><span class="pi">:</span> <span class="s">${file(../../config/authorizer.${opt:stage,self:provider.stage}.yml)}</span> </code></pre> </div> <p><code>bin/authorizer</code> is the eventually compiled asset that will be uploaded to AWS.</p> <p>The authorizer variables are maintained in a yaml file under a <code>config</code> folder following the pattern: <code>authorizer.&lt;stage&gt;.yml</code>. Example content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">TOKEN_ISSUER</span><span class="pi">:</span> <span class="s">https://yourapp.auth0.com/</span> <span class="na">AUDIENCE</span><span class="pi">:</span> <span class="s">your-audience</span> <span class="na">JWKS_URI</span><span class="pi">:</span> <span class="s">https://yourapp.auth0.com./.well-known/jwks.json</span> </code></pre> </div> <h3> Step 2: Initialize the Auth0 Client and logger </h3> <p>We'll initialize the auth0 client and the logger in the <code>init</code> function of our <code>main.go</code>. The reason for doing this is that the AWS Lambda go runtime will keep an instance of our program running after it finishes so that it can re-use them when a request hits the warm instance. This allows us to limit instantiations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="n">log</span> <span class="s">"github.com/sirupsen/logrus"</span> <span class="s">"github.com/uris77/auth0"</span> <span class="p">)</span> <span class="k">var</span> <span class="n">auth0Client</span> <span class="n">auth0</span><span class="o">.</span><span class="n">Auth0</span> <span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Instantiate an auth0 client with a Cache with the capacity for</span> <span class="c">// 60 tokens and a ttl of 24 hours</span> <span class="n">auth0Client</span> <span class="o">=</span> <span class="n">auth0</span><span class="o">.</span><span class="n">NewAuth0</span><span class="p">(</span><span class="m">60</span><span class="p">,</span> <span class="m">518400</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">SetFormatter</span><span class="p">(</span><span class="o">&amp;</span><span class="n">log</span><span class="o">.</span><span class="n">JSONFormatter</span><span class="p">{})</span> <span class="n">log</span><span class="o">.</span><span class="n">SetOutput</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stdout</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The logger is configured to format its output as <code>JSON</code> and to write to <code>Stdout</code>. Lambda will push all <code>stdout</code> to <code>Cloud Watch</code>. This allows us to view our logs as structured data. </p> <h3> Step 3: Gather Preconditions </h3> <p>The preconditions for this <code>authorizer</code> are that we need to have values for <code>AUTH_AUDIENCE</code>, <code>JWKS_URI</code> and <code>AUTH_ISSUER</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Authorizer</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">evt</span> <span class="n">events</span><span class="o">.</span><span class="n">APIGatewayCustomAuthorizerRequest</span><span class="p">)</span> <span class="p">(</span><span class="n">events</span><span class="o">.</span><span class="n">APIGatewayCustomAuthorizerResponse</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"JWKS_URI"</span><span class="p">))</span> <span class="o">&lt;</span> <span class="m">1</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="s">"The required JWKS_URI is missing"</span><span class="p">)</span> <span class="p">}</span> <span class="n">jwkUrl</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"JWKS_URI"</span><span class="p">)</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"AUTH_AUDIENCE"</span><span class="p">))</span> <span class="o">&lt;</span> <span class="m">1</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="s">"The required AUTH_AUDIENCE is missing"</span><span class="p">)</span> <span class="p">}</span> <span class="n">aud</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"AUTH_AUDIENCE"</span><span class="p">)</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"AUTH_ISSUER"</span><span class="p">))</span> <span class="o">&lt;</span> <span class="m">1</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="s">"The required AUTH_ISSUER is missing"</span><span class="p">)</span> <span class="p">}</span> <span class="n">iss</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"AUTH_ISSUER"</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">WithFields</span><span class="p">(</span><span class="n">log</span><span class="o">.</span><span class="n">Fields</span><span class="p">{</span> <span class="s">"event"</span><span class="o">:</span> <span class="n">evt</span><span class="p">,</span> <span class="s">"jwkUrl"</span><span class="o">:</span> <span class="n">jwkUrl</span><span class="p">,</span> <span class="s">"aud"</span><span class="o">:</span> <span class="n">aud</span><span class="p">,</span> <span class="s">"iss"</span><span class="o">:</span> <span class="n">iss</span><span class="p">,</span> <span class="s">"auth0Client"</span><span class="o">:</span> <span class="n">auth0Client</span><span class="p">,</span> <span class="s">"context"</span><span class="o">:</span> <span class="n">ctx</span><span class="p">,</span> <span class="p">})</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Authorizer triggered"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>If all the preconditions are true, we log the initial state. This can be helpful when troubleshooting because we might want to know what were the inputs and the initial state to the <code>authorizer</code>.</p> <h3> Step 4: Validate the token </h3> <p>The authorization token is in the <code>events.APIGatewayCustomAuthorizerRequest</code> parameter of the <code>authorizer</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">APIGatewayCustomAuthorizerRequest</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Type</span> <span class="kt">string</span> <span class="s">`json:"type"`</span> <span class="n">AuthorizationToken</span> <span class="kt">string</span> <span class="s">`json:"authorizationToken"`</span> <span class="n">MethodArn</span> <span class="kt">string</span> <span class="s">`json:"methodArn"`</span> <span class="p">}</span> </code></pre> </div> <p>The token is a string and also includes the <code>Bearer</code> string.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="n">jwt</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">auth0Client</span><span class="o">.</span><span class="n">Validate</span><span class="p">(</span><span class="n">jwkUrl</span><span class="p">,</span> <span class="n">aud</span><span class="p">,</span> <span class="n">iss</span><span class="p">,</span> <span class="n">evt</span><span class="o">.</span><span class="n">AuthorizationToken</span><span class="p">)</span> </code></pre> </div> <p>The auth0 client will return a <code>jwt</code> token or an error when we validate a token against the <code>jwkUrl</code> and the <code>audience</code> and <code>issuer</code>.</p> <p>The authorizer needs to return an <code>ApiGatewayCustomAuthorizerResponse</code>, which will indicate to the Api Gateway if the request is authorized. The type is defined as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">APIGatewayCustomAuthorizerResponse</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">PrincipalID</span> <span class="kt">string</span> <span class="s">`json:"principalId"`</span> <span class="n">PolicyDocument</span> <span class="n">APIGatewayCustomAuthorizerPolicy</span> <span class="s">`json:"policyDocument"`</span> <span class="n">Context</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}</span> <span class="s">`json:"context,omitempty"`</span> <span class="n">UsageIdentifierKey</span> <span class="kt">string</span> <span class="s">`json:"usageIdentifierKey,omitempty"`</span> <span class="p">}</span> </code></pre> </div> <p>The <code>PolicyDocument</code> is what we use to authorize the request. It will include an Iam Policy Statement:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// APIGatewayCustomAuthorizerPolicy represents an IAM policy</span> <span class="k">type</span> <span class="n">APIGatewayCustomAuthorizerPolicy</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Version</span> <span class="kt">string</span> <span class="n">Statement</span> <span class="p">[]</span><span class="n">IAMPolicyStatement</span> <span class="p">}</span> <span class="c">// IAMPolicyStatement represents one statement from IAM policy with action, effect and resource</span> <span class="k">type</span> <span class="n">IAMPolicyStatement</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Action</span> <span class="p">[]</span><span class="kt">string</span> <span class="n">Effect</span> <span class="kt">string</span> <span class="n">Resource</span> <span class="p">[]</span><span class="kt">string</span> <span class="p">}</span> </code></pre> </div> <h3> Step 5: Error Handling </h3> <p>If validation failed, we can create a response with a policy that will deny the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">events</span><span class="o">.</span><span class="n">APIGatewayCustomAuthorizerResponse</span><span class="p">{</span> <span class="n">PolicyDocument</span><span class="o">:</span> <span class="n">events</span><span class="o">.</span><span class="n">APIGatewayCustomAuthorizerPolicy</span><span class="p">{</span> <span class="n">Version</span><span class="o">:</span> <span class="s">"2012-10-17"</span><span class="p">,</span> <span class="n">Statement</span><span class="o">:</span> <span class="p">[]</span><span class="n">events</span><span class="o">.</span><span class="n">IAMPolicyStatement</span><span class="p">{</span> <span class="p">{</span> <span class="n">Action</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">"execute-api:Invoke"</span><span class="p">},</span> <span class="n">Effect</span><span class="o">:</span> <span class="s">"Deny"</span><span class="p">,</span> <span class="n">Resource</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">"arn:aws:execute-api:*"</span><span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="n">log</span><span class="o">.</span><span class="n">WithFields</span><span class="p">(</span><span class="n">log</span><span class="o">.</span><span class="n">Fields</span><span class="p">{</span> <span class="s">"jwt"</span><span class="o">:</span> <span class="n">jwt</span><span class="p">,</span> <span class="s">"err"</span><span class="o">:</span> <span class="n">err</span><span class="p">,</span> <span class="s">"response"</span><span class="o">:</span> <span class="n">r</span><span class="p">,</span> <span class="p">})</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="s">"Token Validation Failed"</span><span class="p">)</span> <span class="k">return</span> <span class="n">r</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>It is a good idea to also log the error in case we need to do some troubleshooting.</p> <p>We can also make the policy more specific and use the <code>arn</code> for the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="n">r</span> <span class="o">:=</span> <span class="n">events</span><span class="o">.</span><span class="n">APIGatewayCustomAuthorizerResponse</span><span class="p">{</span> <span class="n">PolicyDocument</span><span class="o">:</span> <span class="n">events</span><span class="o">.</span><span class="n">APIGatewayCustomAuthorizerPolicy</span><span class="p">{</span> <span class="n">Version</span><span class="o">:</span> <span class="s">"2012-10-17"</span><span class="p">,</span> <span class="n">Statement</span><span class="o">:</span> <span class="p">[]</span><span class="n">events</span><span class="o">.</span><span class="n">IAMPolicyStatement</span><span class="p">{</span> <span class="p">{</span> <span class="n">Action</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">"execute-api:Invoke"</span><span class="p">},</span> <span class="n">Effect</span><span class="o">:</span> <span class="s">"Deny"</span><span class="p">,</span> <span class="n">Resource</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="n">evt</span><span class="o">.</span><span class="n">methodArn</span><span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <h3> Step 6: Happy Path </h3> <p>When validation succeeds, we only need to make two minor changes: provide a <code>PrincipalId</code> and change the <code>Policy Document</code> so that it accepts the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">resp</span> <span class="o">:=</span> <span class="n">events</span><span class="o">.</span><span class="n">APIGatewayCustomAuthorizerResponse</span><span class="p">{</span> <span class="n">PrincipalID</span><span class="o">:</span> <span class="n">jwt</span><span class="o">.</span><span class="n">Subject</span><span class="p">(),</span> <span class="n">PolicyDocument</span><span class="o">:</span> <span class="n">events</span><span class="o">.</span><span class="n">APIGatewayCustomAuthorizerPolicy</span><span class="p">{</span> <span class="n">Version</span><span class="o">:</span> <span class="s">"2012-10-17"</span><span class="p">,</span> <span class="n">Statement</span><span class="o">:</span> <span class="p">[]</span><span class="n">events</span><span class="o">.</span><span class="n">IAMPolicyStatement</span><span class="p">{</span> <span class="p">{</span> <span class="n">Action</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">"execute-api:Invoke"</span><span class="p">},</span> <span class="n">Effect</span><span class="o">:</span> <span class="s">"Allow"</span><span class="p">,</span> <span class="n">Resource</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="n">evt</span><span class="o">.</span><span class="n">methodArn</span><span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="n">log</span><span class="o">.</span><span class="n">WithFields</span><span class="p">(</span><span class="n">log</span><span class="o">.</span><span class="n">Fields</span><span class="p">{</span> <span class="s">"jwt"</span><span class="o">:</span> <span class="n">jwt</span><span class="p">,</span> <span class="s">"response"</span><span class="o">:</span> <span class="n">resp</span><span class="p">,</span> <span class="p">})</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Successfully Validated Token"</span><span class="p">)</span> <span class="k">return</span> <span class="n">resp</span><span class="p">,</span> <span class="no">nil</span> </code></pre> </div> <h3> Conclusion </h3> <p>An AWS Lambda Authorizer is the mechanism used by Api Gateway to authorize requests. It will provide an <code>APIGatewayCustomAuthorizerRequest</code> to the authorizer. This request contains both the token and the method's arn. </p> <p>We can validate the request's token with the auth0 client, and return the corresponding <code>IAM Policy Document</code>, which will indicate to Api Gateway if the request is allowed to be executed.</p> go aws jwt Go Notes: Auth0 validation for AWS Lambda Roberto Guerra Tue, 28 Jan 2020 02:08:47 +0000 https://forem.com/uris77/go-notes-auth0-validation-for-aws-lambda-2i24 https://forem.com/uris77/go-notes-auth0-validation-for-aws-lambda-2i24 <p>I found myself migrating a serverless service written in node to <code>Go</code>, and needed to write a lambda authorizer. An authorizer is simply an AWS Lambda that the API Gateway will invoke to verify if the request is authorized.</p> <p>The AWS Go SDK has a type for the API Gateway Request that the authorizer will receive. The authorizer I need is very simple for now. It will only concern itself with validating the JWT token. This token is represented by <code>AuthorizationToken</code> in the <code>APIGatewayCustomAuthorizeRequest</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">APIGatewayCustomAuthorizerRequest</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Type</span> <span class="kt">string</span> <span class="s">`json:"type"`</span> <span class="n">AuthorizationToken</span> <span class="kt">string</span> <span class="s">`json:"authorizationToken"`</span> <span class="n">MethodArn</span> <span class="kt">string</span> <span class="s">`json:"methodArn"`</span> <span class="p">}</span> </code></pre> </div> <p>I looked around for a library that I could leverage and found <code>github.com/apibillme/auth0</code>. However, it didn't quite suit my use case. The function signature for validating a token is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">Validate</span><span class="p">(</span><span class="n">jwkURL</span><span class="p">,</span> <span class="n">audience</span><span class="p">,</span> <span class="n">issuer</span> <span class="kt">string</span><span class="p">,</span> <span class="n">req</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">jwt</span><span class="o">.</span><span class="n">Token</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> </code></pre> </div> <p>The main obstacle to me using it is that the authorizer won't be receiving an <code>http.Request</code>. I needed a function where the token was a string:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">Validate</span><span class="p">(</span><span class="n">jwkURL</span><span class="p">,</span> <span class="n">audience</span><span class="p">,</span> <span class="n">issuer</span><span class="p">,</span> <span class="n">jwtToken</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">jwt</span><span class="o">.</span><span class="n">Token</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> </code></pre> </div> <p>So I cloned the repo and made the changes I needed. Since the most recent activity in that repo was over a year ago, I figured that it was being actively maintained. But I still found some value in the code, so I decided to fork it and publish my own version.</p> <p>The other interesting feature of this code is that it also includes a cache. The tokens are stored in the cache and for every request, the cache is inspected, and if the token is found in the cache, then we don't need to re-validate that token. So, there was one minor update I decided to make. The original code base requires that a cache be created explicitly before we can validate a token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">New</span><span class="p">(</span><span class="m">128</span><span class="p">,</span> <span class="m">5</span><span class="p">)</span> <span class="n">Validate</span><span class="p">(</span><span class="n">jwkEndpoint</span><span class="p">,</span> <span class="n">audience</span><span class="p">,</span> <span class="n">issuer</span><span class="p">,</span> <span class="n">ctx</span><span class="p">)</span> </code></pre> </div> <p>I was confused initially because I didn't know what <code>New</code> was doing. So, I created an <code>Auth0</code> type, along with a constructor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Auth0</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">cache</span> <span class="n">cache</span><span class="o">.</span><span class="n">Cache</span> <span class="p">}</span> <span class="c">// Create a new Auth0 client.</span> <span class="c">// keyCapacity indicates the maximum number of keys the Cache will hold.</span> <span class="c">// ttl is the time to live in seconds for keys to live in the Cache.</span> <span class="k">func</span> <span class="n">NewAuth0</span><span class="p">(</span><span class="n">keyCapacity</span> <span class="kt">int</span><span class="p">,</span> <span class="n">ttl</span> <span class="kt">int64</span><span class="p">)</span> <span class="n">Auth0</span> <span class="p">{</span> <span class="n">globalTTL</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span><span class="p">(</span><span class="n">ttl</span><span class="p">)</span> <span class="n">Cached</span> <span class="o">:=</span> <span class="n">cache</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">keyCapacity</span><span class="p">,</span> <span class="n">cache</span><span class="o">.</span><span class="n">WithTTL</span><span class="p">(</span><span class="n">globalTTL</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">))</span> <span class="k">return</span> <span class="n">Auth0</span><span class="p">{</span><span class="n">cache</span><span class="o">:</span> <span class="n">Cached</span><span class="p">}</span> <span class="p">}</span> <span class="c">// Validate - validate with JWK &amp; JWT Auth0 &amp; audience &amp; issuer for net/http</span> <span class="k">func</span> <span class="p">(</span><span class="n">a</span> <span class="n">Auth0</span><span class="p">)</span> <span class="n">Validate</span><span class="p">(</span><span class="n">jwkURL</span><span class="p">,</span> <span class="n">audience</span><span class="p">,</span> <span class="n">issuer</span><span class="p">,</span> <span class="n">jwtToken</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">jwt</span><span class="o">.</span><span class="n">Token</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="c">// process token</span> <span class="n">tokenParts</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">Split</span><span class="p">(</span><span class="n">jwtToken</span><span class="p">,</span> <span class="s">" "</span><span class="p">)</span> <span class="n">token</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">verifyBearerToken</span><span class="p">(</span><span class="n">tokenParts</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">a</span><span class="o">.</span><span class="n">processToken</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">jwkURL</span><span class="p">,</span> <span class="n">audience</span><span class="p">,</span> <span class="n">issuer</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Now using it is pretty simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">handler</span><span class="p">(</span><span class="n">ctx</span> <span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">APIGatewayCustomAuthorizerRequest</span><span class="p">)</span> <span class="n">APIGatewayCustomAuthorizerResponse</span> <span class="p">{</span> <span class="c">//Retrieve the issuer, audience and the JWKS_URI from the environment.</span> <span class="n">token</span> <span class="o">:=</span> <span class="n">req</span><span class="o">.</span><span class="n">AuthorizationToken</span> <span class="n">auth0</span> <span class="o">:=</span> <span class="n">NewAuth0</span><span class="p">(</span><span class="m">128</span><span class="p">,</span> <span class="m">60</span><span class="p">)</span> <span class="n">jwtToken</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">auth0</span><span class="o">.</span><span class="n">Validate</span><span class="p">(</span><span class="n">JWKS_URI</span><span class="p">,</span> <span class="n">audience</span><span class="p">,</span> <span class="n">issuer</span><span class="p">,</span> <span class="n">token</span><span class="p">)</span> <span class="c">// Use the jwtToken to create the response</span> <span class="p">}</span> </code></pre> </div> <p>I'm still trying to figure out how to unit test this library. My main struggle is creating a token and a key for the tests using Go. I'll write down my notes for the next blog post, before documenting how to eventually create the <code>APIGatewayCustomAuthorizerResponse</code></p> go jwt aws lambda Go Notes: Example Tests Roberto Guerra Tue, 21 Jan 2020 02:25:49 +0000 https://forem.com/uris77/go-notes-example-tests-9ho https://forem.com/uris77/go-notes-example-tests-9ho <p>Go's <a href="https://golang.org/pkg/testing/#hdr-Examples">Example Tests</a> are a great tool for documenting the expectations of our code. They are conveniently integrated with <em>godocs</em>, making the docs have more context and actual runnable examples. These tests provide a quick overview of what the code is supposed to be doing in a manner that is easily digestible for the reader without needing to understand the inner workings.</p> <h2> What are Example Tests? </h2> <p>In Example Tests, we print out the result of a function that we want to test, and we indicate the expected output as comments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">ExampleTest</span><span class="p">()</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Hello World!"</span><span class="p">)</span> <span class="c">// Output:</span> <span class="c">// Hello World!</span> <span class="p">}</span> </code></pre> </div> <p>If we can't determine the order of the output of a test, we can use <code>Unordered output</code> instead of <code>Output</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">ExampleUnorderedTest</span><span class="p">()</span> <span class="p">{</span> <span class="n">unordered</span> <span class="o">:=</span> <span class="n">afunc</span><span class="p">()</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">unordered</span><span class="p">)</span> <span class="c">// Unordered output:</span> <span class="c">// d</span> <span class="c">// c</span> <span class="c">// a</span> <span class="c">// b</span> <span class="p">}</span> </code></pre> </div> <h2> Naming Conventions </h2> <p>The Go community seems to have settled on two naming conventions for the example file names. Both conventions can be found in the standard library. The first one follows the pattern <code>xxx_example_test.go</code>. This can bee seen in the example tests for <code>stringer</code>: <a href="https://github.com/golang/go/blob/master/src/fmt/stringer_example_test.go">https://github.com/golang/go/blob/master/src/fmt/stringer_example_test.go</a>.</p> <p>The second pattern is <code>example_xxx_test.go</code>. This pattern is prevalent in the <code>sort</code> package of the standard library: <a href="https://github.com/golang/go/tree/master/src/sort">https://github.com/golang/go/tree/master/src/sort</a>.</p> <p># Summary<br> Example tests are a useful tool for documenting our code. They are kept relevant because they are run as tests and are embedded in the "godocs" for easy consumption.</p> go Go Notes: Omitting empty structs Roberto Guerra Fri, 10 Jan 2020 23:30:29 +0000 https://forem.com/uris77/go-notes-omitting-empty-structs-19d7 https://forem.com/uris77/go-notes-omitting-empty-structs-19d7 <p>Go provides a convenient way of marshaling and unmarshaling structs by using struct field tags. This gives us the benefit of not letting the Go naming convention to leak into the JSON structure, and it also doesn't force us to use a non-idiomatic naming convention for our APIs that will be consumed outside our team.</p> <p>Let's draft an example. We are modeling a census application that will capture basic information about people.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Person</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="s">`json:"name"`</span> <span class="n">Address</span> <span class="kt">string</span> <span class="s">`json:"address"`</span> <span class="n">DateOfBirth</span> <span class="kt">string</span> <span class="s">`json:"dob"`</span> <span class="n">Occupation</span> <span class="kt">string</span> <span class="s">`json:"occupation"`</span> <span class="p">}</span> </code></pre> </div> <p>With this struct, we can encode and decode the following JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Rob Pike"</span><span class="p">,</span><span class="w"> </span><span class="nl">"address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"On a Street somewhere, in some city"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dob"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1970-01-01"</span><span class="p">,</span><span class="w"> </span><span class="nl">"occupation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"engineer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>If we didn't know the address, then that field would be unmarshaled to the default value. In this case, it would be an empty string. Hence, this struct:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">Person</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"Rob Pike"</span><span class="p">,</span> <span class="n">Address</span><span class="o">:</span> <span class="s">""</span><span class="p">,</span> <span class="n">DateOfBirth</span><span class="o">:</span> <span class="s">"197-01-01"</span><span class="p">,</span> <span class="n">Occupation</span><span class="o">:</span> <span class="s">"engineer"</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>would be marshaled to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Rob Pike"</span><span class="p">,</span><span class="w"> </span><span class="nl">"address"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"dob"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1970-01-01"</span><span class="p">,</span><span class="w"> </span><span class="nl">"occupation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"engineer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>There are times we don't want non-existent fields to be set to their zero values when unmarshalling them. This can be configured by using <code>omitempty</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Person</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="s">`json:"name"`</span> <span class="n">Address</span> <span class="kt">string</span> <span class="s">`json:"address,omitempty"`</span> <span class="n">DateOfBirth</span> <span class="kt">string</span> <span class="s">`json:"dob"`</span> <span class="n">Occupation</span> <span class="kt">string</span> <span class="s">`json:"occupation"`</span> <span class="p">}</span> </code></pre> </div> <p>Now this person:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">Person</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"Rob Pike"</span><span class="p">,</span> <span class="n">Address</span><span class="o">:</span> <span class="s">""</span><span class="p">,</span> <span class="n">DateOfBirth</span><span class="o">:</span> <span class="s">"197-01-01"</span><span class="p">,</span> <span class="n">Occupation</span><span class="o">:</span> <span class="s">"engineer"</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>would be marshaled to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Rob Pike"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dob"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1970-01-01"</span><span class="p">,</span><span class="w"> </span><span class="nl">"occupation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"engineer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>We also want to record how many children a person has. We can modify <code>Person</code> like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="k">type</span> <span class="n">Person</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="s">`json:"name"`</span> <span class="n">Address</span> <span class="kt">string</span> <span class="s">`json:"address"`</span> <span class="n">DateOfBirth</span> <span class="kt">string</span> <span class="s">`json:"dob"`</span> <span class="n">Occupation</span> <span class="kt">string</span> <span class="s">`json:"occupation"`</span><span class="p">,</span> <span class="n">Dependent</span> <span class="n">Children</span> <span class="s">`json:"dependent,omitempty"`</span><span class="p">,</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Children</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="s">`json:"name, omitempty"`</span><span class="p">}</span> </code></pre> </div> <p>I know that someone can have more than one child, but I'm struggling coming up with didactic examples.</p> <p>If we want to unmarshal a JSON struct with no dependent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Rob Pike"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dob"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1970-01-01"</span><span class="p">,</span><span class="w"> </span><span class="nl">"occupation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"engineer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Our struct will try to create a zero value for <code>Children</code>, in this case, it will be a struct with empty fields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">Person</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"Rob Pike"</span><span class="p">,</span> <span class="n">Address</span><span class="o">:</span> <span class="s">""</span><span class="p">,</span> <span class="n">DateOfBirth</span><span class="o">:</span> <span class="s">"197-01-01"</span><span class="p">,</span> <span class="n">Occupation</span><span class="o">:</span> <span class="s">"engineer"</span><span class="p">,</span> <span class="n">Dependent</span><span class="o">:</span> <span class="n">Person</span><span class="p">{</span><span class="n">Name</span><span class="o">:</span> <span class="s">""</span><span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p>There are instances where we would actually want this to be <code>nil</code>. For example, if we are pushing this to an elasticsearch index that has mappings that do not allow empty strings for <code>name</code>. For this use case, we have to use pointers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Person</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="s">`json:"name"`</span> <span class="n">Address</span> <span class="kt">string</span> <span class="s">`json:"address"`</span> <span class="n">DateOfBirth</span> <span class="kt">string</span> <span class="s">`json:"dob"`</span> <span class="n">Occupation</span> <span class="kt">string</span> <span class="s">`json:"occupation"`</span><span class="p">,</span> <span class="n">Dependent</span> <span class="o">*</span><span class="n">Children</span> <span class="s">`json:"dependent"`</span><span class="p">,</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Children</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="s">`json:"name, omitempty"`</span><span class="p">}</span> </code></pre> </div> <p>Our unmarshaled person with no dependent now looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">Person</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"Rob Pike"</span><span class="p">,</span> <span class="n">Address</span><span class="o">:</span> <span class="s">""</span><span class="p">,</span> <span class="n">DateOfBirth</span><span class="o">:</span> <span class="s">"197-01-01"</span><span class="p">,</span> <span class="n">Occupation</span><span class="o">:</span> <span class="s">"engineer"</span><span class="p">,</span> <span class="n">Dependent</span><span class="o">:</span> <span class="no">nil</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h2> Summary </h2> <p>Use <code>omitempty</code> to avoid marshaling and unmarshaling non-existent fields. However, if a field is a struct, we should use pointers.</p> go Go AWS Notes: KMS - Decryption Roberto Guerra Mon, 06 Jan 2020 19:21:21 +0000 https://forem.com/uris77/go-aws-notes-kms-decryption-3nb3 https://forem.com/uris77/go-aws-notes-kms-decryption-3nb3 <p>I use KMS for serverless apps when I want to put some secrets as an environment variable (Yes, I know SSM exists). I use the serverless app and the serverless-kms-secrets (<a href="https://github.com/nordcloud/serverless-kms-secrets">https://github.com/nordcloud/serverless-kms-secrets</a>) for encrypting secrets and making it convenient for using them in a lambda. </p> <p>After installing the plugin, we can encrypt a secret in the command line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sls encrypt -n MY_SECRET -v my-password </code></pre> </div> <p>The plugin readme (<a href="https://github.com/nordcloud/serverless-kms-secrets">https://github.com/nordcloud/serverless-kms-secrets</a>) goes into more detail on how to use it.</p> <p>Decrypting the secret can be rather simple with Go, but I initially found it a bit tricky when I first tried to use it. My first attempt was something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Create an AWS Session</span> <span class="n">sess</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">session</span><span class="o">.</span><span class="n">NewSession</span><span class="p">(</span><span class="o">&amp;</span><span class="n">aws</span><span class="o">.</span><span class="n">Config</span><span class="p">{</span> <span class="n">Region</span><span class="o">:</span> <span class="n">aws</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="s">"us-west-2"</span><span class="p">),</span> <span class="p">})</span> <span class="n">svc</span> <span class="o">:=</span> <span class="n">kms</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">sess</span><span class="p">)</span> <span class="n">mypassword</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"MY_SECRET"</span><span class="p">)</span> <span class="n">input</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">kms</span><span class="o">.</span><span class="n">DecryptInput</span><span class="p">{</span><span class="n">CiphertextBlob</span><span class="o">:</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">mypassword</span><span class="p">)}</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">svc</span><span class="o">.</span><span class="n">Decrypt</span><span class="p">(</span><span class="n">input</span><span class="p">)</span> </code></pre> </div> <p>But this kept throwing an <code>InvalidCiphertextException</code> exception. The AWS documentation states that this exception occurs because "the specified ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid." The documentation also mentions that the encrypted secret is bas64 encoded. This means that I have to base64 decode the encrypted secret and use that as the value for the <code>CiphertextBlob</code> in the <code>DecryptInput</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">encpass</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"MY_SECRET"</span><span class="p">)</span> <span class="n">password</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">base64</span><span class="o">.</span><span class="n">StdEncoding</span><span class="o">.</span><span class="n">DecodeString</span><span class="p">(</span><span class="n">encpass</span><span class="p">)</span> </code></pre> </div> <p>The resulting output is of type <code>DecryptOutput</code> that looks something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">DecryptOutput</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">_</span> <span class="k">struct</span><span class="p">{}</span> <span class="s">`type:"structure"`</span> <span class="c">// ARN of the key used to perform the decryption. This value is returned if</span> <span class="c">// no errors are encountered during the operation.</span> <span class="n">KeyId</span> <span class="o">*</span><span class="kt">string</span> <span class="s">`min:"1" type:"string"`</span> <span class="c">// Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value</span> <span class="c">// is Base64-encoded. Otherwise, it is not encoded.</span> <span class="c">//</span> <span class="c">// Plaintext is automatically base64 encoded/decoded by the SDK.</span> <span class="n">Plaintext</span> <span class="p">[]</span><span class="kt">byte</span> <span class="s">`min:"1" type:"blob" sensitive:"true"`</span> <span class="p">}</span> </code></pre> </div> <p>The clear secret is now accessible through the <code>Plaintext</code> field.</p> <p>P.S.: Remember to do the appropriate error handling.</p> aws go kms